Cold Boot Attacks on Post-Quantum Schemes
Total Page:16
File Type:pdf, Size:1020Kb
Cold Boot Attacks on Post-Quantum Schemes Ricardo Luis Villanueva Polanco Thesis submitted to the University of London for the degree of Doctor of Philosophy Information Security Group School of Mathematics and Information Security Royal Holloway, University of London 2018 Declaration These doctoral studies were conducted under the supervision of Professor Kenneth G. Pa- terson. The work presented in this thesis is the result of original research I conducted, in collabo- ration with others, whilst enrolled in the School of Mathematics and Information Security as a candidate for the degree of Doctor of Philosophy. This work has not been submitted for any other degree or award in any other university or educational establishment. Ricardo Luis Villanueva Polanco June 2018 2 Abstract Cryptographic models are intended to represent an adversary's capabilities when attacking encryption schemes. Models often err on the side of caution by over-estimating the power of adversaries. However, several recent attacks reported in the literature demonstrate that measuring an adversary's potential is a difficult task. This thesis will view the cryptographic landscape from the perspective of an adversary and the implementer. We study how an adversary can take advantage of leaked information about a private key. The particular scenario we study is the cold boot attack whereby an adversary can procure a noisy version of the key (i.e. the extracted data will contain errors) from a computer's main memory. Such an attack is not traditionally modelled by the standard security games. We show how the adversary might recover the original secret key, and hence compromise security, for some lattice-based schemes such as NTRU and BLISS, as well as the signature scheme Rainbow, which is based on multivariate polynomials over a finite field, and finally the McEliece crypto-system, which is a code-based asymmetric encryption scheme. We mount our attacks against specific real-world implementations of each of these schemes. For each scheme, we will study it and review at least one real-world implementation of the scheme. Moreover, for each implementation of a particular scheme, we will concern ourselves with acquiring knowledge of and evaluating each of the formats used to store the scheme's private key in memory, and then propose specific algorithms for key recovery in the cold boot attack setting. Our approach to key recovery is general and based on the combination of key enumeration algorithms and other techniques. Basically, an original secret key is seen as a concatenation of multiple chunks, each of which has a fixed number of bits and takes multiple values. These chunks then are combined to produce candidates for the secret key. These key enumeration algorithms have been already used in other side-channel scenarios with a variety of different approaches being used to solving the problem. 3 Contents 1 Introduction 13 1.1 Motivation . 13 1.2 Thesis Structure . 15 1.3 Associated Publications . 16 2 Background 17 2.1 Side Channel Attacks . 17 2.2 Cold Boot Attacks . 18 2.2.1 RSA Setting . 21 2.2.2 Discrete Logarithm Setting . 22 2.2.3 Symmetric Key Setting . 22 2.2.4 Learning with Errors Setting . 22 2.3 Cold boot Attack Model . 23 2.4 Log Likelihood Statistic for Key Candidates . 24 2.5 Combining Chunks to Build Key Candidates . 24 3 Key Enumeration Algorithms 26 3.1 Introduction . 26 3.1.1 Some Definitions . 26 3.1.2 Problem Statement . 27 3.2 Key Enumeration Algorithms . 29 3.2.1 An Optimal Key Enumeration Algorithm . 29 3.2.1.1 Setup . 29 3.2.1.2 Basic Algorithm . 30 3.2.1.3 Complete Algorithm . 31 3.2.1.4 Memory Consumption . 34 3.2.2 A Bounded-Space Near-Optimal Key Enumeration Algorithm . 36 3.2.2.1 Basic Algorithm . 36 4 CONTENTS 3.2.2.2 Complete Algorithm . 38 3.2.2.3 Parallelisation . 40 3.2.2.4 Variant . 42 3.2.3 A Simple Stack-Based, Depth-First Key Enumeration Algorithm . 42 3.2.3.1 Setup . 43 3.2.3.2 Complete Algorithm . 44 3.2.3.3 Speeding up the Pruning Process . 44 3.2.3.4 Memory Consumption . 45 3.2.3.5 Parallelisation . 46 3.2.3.6 Threshold Algorithm . 47 3.2.4 A Score-Based Key Enumeration Algorithm . 48 3.2.4.1 Complete Algorithm . 50 3.2.4.2 Parallelisation . 52 3.2.4.3 Running Times . 53 3.2.4.4 Memory Consumption . 54 3.2.5 A Key Enumeration Algorithm using Histograms . 56 3.2.5.1 Setup . 56 3.2.5.2 Complete Algorithm . 57 3.2.5.3 Parallelisation . 59 3.2.5.4 Memory Consumption . 60 3.2.5.5 Equivalence with the path counting approach . 61 3.2.6 A Quantum Key Search Algorithm . 62 3.3 Comparison of Key Enumeration Algorithms . 66 3.3.1 Implementation . 66 3.3.2 Scenario . 66 3.3.3 Results per algorithms . 67 3.3.4 Discussion . 71 3.4 Chapter Conclusions . 72 4 Cold Boot Attack on NTRU 74 4.1 Introduction . 74 4.2 NTRU Encryption Scheme . 76 4.2.1 NTRU Public Key Encryption Scheme . 77 4.2.2 The NTRU Key Recovery Problem . 78 4.3 Private Key Formats for NTRU Implementations . 78 5 CONTENTS 4.3.1 The tbuktu/Bouncy Castle Java Implementation. 79 4.3.2 Reference Parameters for tbuktu .................... 80 4.3.3 The ntru-crypto Java Implementation . 80 4.3.4 The ntru-crypto C Implementation . 80 4.3.5 Reference Parameters for ntru-crypto ................ 81 4.4 Mounting Cold Boot Key Recovery Attacks . 82 4.4.1 Key Recovery Strategy . 82 4.4.2 The ntru-crypto Java Implementation . 83 4.4.3 The ntru-crypto C Implementation . 84 4.4.4 The tbuktu Java Implementation . 86 4.5 Experimental Evaluation . 87 4.5.1 Implementation . 87 4.5.2 Parallelisation . 88 4.5.3 Search Intervals . 88 4.5.4 Simulations . 89 4.5.5 Results for the ntru-crypto Java Implementation . 89 4.5.6 Results for the tbuktu Java Implementation . 90 4.5.6.1 Counting Candidates and Estimating Running Times . 90 4.5.6.2 Parameters . 91 4.5.6.3 Results { Complete Enumeration . 91 4.5.6.4 Results { Partial Enumeration . 93 4.5.6.5 Running times . 94 4.6 Chapter Conclusions . 94 5 Cold Boot Attacks on BLISS 95 5.1 Introduction . 95 5.2 Preliminaries . 97 5.2.1 Notation . 97 5.2.2 Lattices and Bases . 97 5.2.2.1 Shortest Vector Problem (SVP) . 98 5.2.2.2 Bounded Distance Decoding (BDD) . 98 5.2.2.3 Babai's Nearest Plane Algorithm . 99 5.3 BLISS Signature Scheme . 99 5.3.1 The BLISS Key Generation Algorithm . 99 5.4 The strongSwan Project . 100 6 CONTENTS 5.4.1 The strongSwan BLISS Implementation . 100 5.5 Mounting Cold Boot Key Recovery Attacks . 102 5.5.1 Initial Observations . 102 5.5.2 Key Recovery Via Key Enumeration . 103 0 5.5.2.1 Constructing Lf from s1 ................... 103 0 5.5.2.2 Constructing Lh from s2 ................... 104 5.5.2.3 Combining Lf and Lh ..................... 106 5.5.2.4 Enumerating Only Candidates for f ............. 107 5.5.3 Casting the Problem as an LWE Instance . 109 5.5.3.1 Meet-in-the-Middle Attacks . 111 5.5.3.2 Parallel Collision Search . 113 5.5.3.3 Hybrid attack on LWE . 115 5.5.3.4 Combining Lattice Techniques and Key Enumeration . 116 5.6 Experimental Evaluation . 118 5.6.1 Simulations . 118 5.6.2 Key Recovery Via Key Enumeration . 119 5.6.2.1 Parameters . 119 5.6.2.2 Setup . 119 5.6.2.3 Key Enumeration Algorithm for Phase II ......... 119 5.6.2.4 Results . 121 5.7 Chapter Conclusions . 124 6 Cold Boot Attacks on Rainbow 126 6.1 Introduction . 126 6.2 Multivariable Cryptosystems . 128 6.2.1 The Oil and Vinegar Signature Scheme . 129 6.2.2 Rainbow, a Signature Scheme . 131 6.3 Rainbow Implementations . 134 6.3.1 The Reference Implementation . 134 6.3.2 The.